wolfSSL · JeremiahM37 · Jan 8, 2026 · cconlon · Feb 11, 2026
diff --git a/java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile b/java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/Dockerfile
@@ -0,0 +1,261 @@
+# Spring Boot SSL Tests with wolfJSSE FIPS
+# Build: docker build -t spring-boot-wolfjsse-fips .
+
+ARG FIPS_BASE_IMAGE=wolfssl-openjdk-fips-root:latest
+ARG SPRING_BOOT_TAG=v3.4.1
+
+# Stage 1: Build Spring Boot with FIPS patches
+FROM rootpublic/openjdk:19-jdk-bookworm-slim AS builder
+RUN apt-get update && apt-get install -y build-essential git perl && rm -rf /var/lib/apt/lists/*
+WORKDIR /app/spring-boot
+ARG SPRING_BOOT_TAG
+RUN git clone --depth 1 --branch ${SPRING_BOOT_TAG} https://github.com/spring-projects/spring-boot.git .
+COPY apply_spring_fips_fixes.sh /tmp/
+RUN chmod +x /tmp/apply_spring_fips_fixes.sh && /tmp/apply_spring_fips_fixes.sh /app/spring-boot
+# Pre-compile test sources to warm the Gradle cache. Failures are tolerated because
+# they do not affect the runtime image, but a warning is logged if this step fails.
+RUN if ! ./gradlew :spring-boot-project:spring-boot:compileTestJava \
+    :spring-boot-project:spring-boot-autoconfigure:compileTestJava \
+    :spring-boot-project:spring-boot-actuator:compileTestJava \
+    --no-daemon -x checkstyleMain -x checkstyleTest -x checkFormat; then \
+      echo "WARNING: Gradle compileTestJava tasks failed; continuing Docker build because tests are not required for the runtime image."; \
+    fi
+# Resolve test runtime classpath dependencies. Failures are tolerated but logged,
+# since these dependencies are only needed for test execution, not for running the image.
+RUN if ! ./gradlew :spring-boot-project:spring-boot:dependencies --configuration testRuntimeClasspath --no-daemon; then \
+      echo "WARNING: Gradle dependencies (testRuntimeClasspath) resolution failed; continuing Docker build because tests are not required for the runtime image."; \
+    fi
+
+# Stage 2: Runtime with FIPS base
+FROM ${FIPS_BASE_IMAGE}
+RUN apt-get update && apt-get install -y git openjdk-17-jdk-headless openssl && rm -rf /var/lib/apt/lists/*
+ENV GRADLE_JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+COPY --from=builder /app/spring-boot /app/spring-boot
+COPY --from=builder /root/.gradle /root/.gradle
+
+# Get wolfSSL certs and generate test certs with localhost SAN
+RUN git clone --depth 1 --filter=blob:none --sparse https://github.com/wolfSSL/wolfssl.git /tmp/wolfssl && \
+    cd /tmp/wolfssl && git sparse-checkout set certs && cp -r certs /app/certs && rm -rf /tmp/wolfssl && \
+    for f in /app/certs/*.pem; do [ -f "$f" ] && grep -q "BEGIN" "$f" && sed -n '/-----BEGIN/,/-----END/p' "$f" > "$f.tmp" && mv "$f.tmp" "$f"; done && \
+    for k in /app/certs/*-key.pem; do grep -q "BEGIN RSA PRIVATE KEY\|BEGIN EC PRIVATE KEY" "$k" 2>/dev/null && \
+        openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$k" -out "$k.p8" && mv "$k.p8" "$k"; done
+
+# Generate CA-signed test certificates with localhost SAN
+RUN mkdir -p /app/certs/test && cd /app/certs/test && \
+    printf '[ca]\nbasicConstraints=critical,CA:TRUE\nkeyUsage=critical,keyCertSign,cRLSign\n[srv]\nbasicConstraints=CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth,clientAuth\nsubjectAltName=DNS:localhost,IP:127.0.0.1\n' > ext.cnf && \
+    openssl genrsa -out ca-key.pem 2048 && \
+    openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/CN=Test CA" && \
+    openssl genrsa -out server-key.pem 2048 && \
+    openssl req -new -key server-key.pem -subj "/CN=localhost" | openssl x509 -req -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile ext.cnf -extensions srv && \
+    openssl genrsa -out client-key.pem 2048 && \
+    openssl req -new -key client-key.pem -subj "/CN=client" | openssl x509 -req -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile ext.cnf -extensions srv && \
+    for k in *-key.pem; do openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "$k" -out "$k.p8" && mv "$k.p8" "$k"; done && \
+    rm -f *.csr *.srl ext.cnf
+
+WORKDIR /app/spring-boot
+ENV FIPS_CHECK=true GRADLE_OPTS="-Xmx4g -XX:MaxMetaspaceSize=512m"
+ENV WOLFJSSE_TEST_OPTS="-Xbootclasspath/a:/usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar:/usr/share/java/filtered-providers.jar \
+    -Djava.library.path=/usr/lib/jni:/usr/local/lib \
+    -Djavax.net.ssl.trustStore=/app/spring-boot/spring-boot-project/spring-boot/src/test/resources/truststore.wks \
+    -Djavax.net.ssl.trustStorePassword=wolfSSLFIPSPwd2024 -Djavax.net.ssl.trustStoreType=WKS \
+    --add-modules=jdk.crypto.ec \
+    --add-exports=jdk.crypto.ec/sun.security.ec=ALL-UNNAMED \
+    --add-opens=jdk.crypto.ec/sun.security.ec=ALL-UNNAMED \
+    --add-opens=java.base/java.security=ALL-UNNAMED \
+    --add-opens=java.base/sun.security.provider=ALL-UNNAMED \
+    --add-opens=java.base/sun.security.util=ALL-UNNAMED \
+    --add-opens=java.base/sun.security.rsa=ALL-UNNAMED"
+
+RUN ln -sf /usr/lib/jni/libwolfssljni.so /usr/local/openjdk-19/lib/ && \
+    ln -sf /usr/lib/jni/libwolfcryptjni.so /usr/local/openjdk-19/lib/ && \
+    ln -sf /usr/local/lib/libwolfssl.so /usr/local/openjdk-19/lib/
+
+# Gradle security config (needs MD5 for checksums, WKS as default keystore)
+RUN cat > /usr/local/openjdk-19/conf/security/java.security.gradle <<'EOF'
+security.provider.1=SUN
+security.provider.2=SunRsaSign
+security.provider.3=SunEC
+security.provider.4=SunJSSE
+security.provider.5=SunJCE
+keystore.type=WKS
+keystore.type.compat=true
+EOF
+
+# Gradle init for wolfJSSE test configuration
+RUN mkdir -p /root/.gradle/init.d && cat > /root/.gradle/init.d/wolfjsse.gradle <<'EOF'
+allprojects {
+    // Skip buildSrc tests - they fail due to FIPS environment (MD5 checksums, etc.)
+    if (project.name == 'buildSrc' || project.path.startsWith(':buildSrc')) {
+        tasks.withType(Test) { enabled = false }
+    }
+    tasks.withType(Test) {
+        executable = '/usr/local/openjdk-19/bin/java'
+        def opts = System.getenv('WOLFJSSE_TEST_OPTS')
+        if (opts) jvmArgs opts.split(/\s+/).findAll { it.trim() }
+        systemProperty 'junit.jupiter.execution.timeout.default', '120s'
+        testLogging { events "passed", "skipped", "failed"; showExceptions = true }
+    }
+}
+EOF
+
+# WKS keystore utilities
+RUN mkdir -p /app/util && cat > /app/util/WksUtil.java <<'JAVA'
+import java.io.*; import java.nio.file.*; import java.security.*; import java.security.spec.*; import java.util.*;
+public class WksUtil {
+    static final char[] PWD = "wolfSSLFIPSPwd2024".toCharArray();
+    public static void main(String[] a) throws Exception {
+        if ("combined".equals(a[0])) combined(a[1],a[2],a[3],a[4],a[5],a[6].toCharArray());
+        else if ("trust".equals(a[0])) trust(a[1],a[2],a[3],a[4].toCharArray());
+        else if ("convert".equals(a[0])) convert(a[1],a[2].toCharArray(),a[3],a[4].toCharArray());
+        else if ("addca".equals(a[0])) addca(a[1],a[2],a[3],a[4]);
+    }
+    static void combined(String cert, String key, String ca, String out, String alias, char[] pwd) throws Exception {
+        KeyStore ks = KeyStore.getInstance("WKS"); ks.load(null, pwd);
+        ks.setKeyEntry(alias, loadKey(key), pwd, new java.security.cert.Certificate[]{loadCert(cert), loadCert(ca)});
+        ks.setCertificateEntry("ca", loadCert(ca));
+        try (FileOutputStream f = new FileOutputStream(out)) { ks.store(f, pwd); }
+        System.out.println("Created combined keystore+truststore: " + out);
+    }
+    static void trust(String cert, String out, String alias, char[] pwd) throws Exception {
+        KeyStore ks = KeyStore.getInstance("WKS"); ks.load(null, pwd);
+        ks.setCertificateEntry(alias, loadCert(cert));
+        try (FileOutputStream f = new FileOutputStream(out)) { ks.store(f, pwd); }
+        System.out.println("Created truststore: " + out);
+    }
+    static void convert(String in, char[] srcPwd, String out, char[] dstPwd) throws Exception {
+        String type = in.toLowerCase().endsWith(".p12") ? "PKCS12" : "JKS";
+        KeyStore src = KeyStore.getInstance(type);
+        try (FileInputStream f = new FileInputStream(in)) { src.load(f, srcPwd); }
+        KeyStore dst = KeyStore.getInstance("WKS"); dst.load(null, dstPwd);
+        for (Enumeration<String> e = src.aliases(); e.hasMoreElements();) {
+            String a = e.nextElement();
+            if (src.isKeyEntry(a)) dst.setKeyEntry(a, src.getKey(a, srcPwd), dstPwd, src.getCertificateChain(a));
+            else dst.setCertificateEntry(a, src.getCertificate(a));
+        }
+        try (FileOutputStream f = new FileOutputStream(out)) { dst.store(f, dstPwd); }
+        System.out.println("Converted: " + in + " -> " + out);
+    }
+    static void addca(String ksPath, String caPath, String pwd, String alias) throws Exception {
+        KeyStore ks = KeyStore.getInstance("WKS");
+        try (FileInputStream f = new FileInputStream(ksPath)) { ks.load(f, pwd.toCharArray()); }
+        if (!ks.containsAlias(alias)) {
+            ks.setCertificateEntry(alias, loadCert(caPath));
+            try (FileOutputStream f = new FileOutputStream(ksPath)) { ks.store(f, pwd.toCharArray()); }
+            System.out.println("  Added test CA to cacerts as: " + alias);
+        }
+        System.out.println("Done. cacerts now has " + ks.size() + " entries");
+    }
+    static java.security.cert.Certificate loadCert(String f) throws Exception {
+        try (FileInputStream in = new FileInputStream(f)) {
+            return java.security.cert.CertificateFactory.getInstance("X.509", "FilteredSun").generateCertificate(in);
+        }
+    }
+    static PrivateKey loadKey(String f) throws Exception {
+        String pem = new String(Files.readAllBytes(Paths.get(f)))
+            .replace("-----BEGIN PRIVATE KEY-----","").replace("-----END PRIVATE KEY-----","").replaceAll("\\s","");
+        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(pem));
+        try { return KeyFactory.getInstance("RSA").generatePrivate(spec); }
+        catch (Exception e) { return KeyFactory.getInstance("EC").generatePrivate(spec); }
+    }
+}
+JAVA
+RUN cd /app/util && /usr/local/openjdk-19/bin/javac -cp /usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar WksUtil.java
+
+# Create WKS keystores script
+RUN cat > /app/create-wks.sh <<'WKSEOF' && chmod +x /app/create-wks.sh
+#!/bin/bash
+FIPS_PWD="wolfSSLFIPSPwd2024"; CERTS="/app/certs/test"; SP="/app/spring-boot/spring-boot-project"
+run() { /usr/local/openjdk-19/bin/java -cp /app/util:/usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar:/usr/share/java/filtered-providers.jar -Djava.library.path=/usr/lib/jni:/usr/local/lib WksUtil "$@"; }
+conv() { /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Xbootclasspath/a:/usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar -Djava.library.path=/usr/lib/jni:/usr/local/lib -cp /app/util:/usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar WksUtil "$@"; }
+
+echo "=== Converting JKS/P12 to WKS ==="
+find "$SP" -name "*.jks" -o -name "*.p12" 2>/dev/null | while read -r f; do
+    w="${f%.*}.wks"; for p in password secret changeit; do conv convert "$f" "$p" "$w" "$FIPS_PWD" 2>/dev/null && break; done
+done
+# Delete old JKS/P12 files after conversion to avoid loading wrong format
+echo "=== Deleting old JKS/P12 files ==="
+find "$SP" -name "*.jks" -delete 2>/dev/null || true
+find "$SP" -name "*.p12" -delete 2>/dev/null || true
+
+echo "=== Creating WKS keystores ==="
+for d in "$SP/spring-boot/src/test/resources" "$SP/spring-boot-autoconfigure/src/test/resources" "$SP/spring-boot-actuator/src/test/resources"; do
+    [ -d "$d" ] && for n in test restricted test-expired test-not-yet-valid; do
+        [ ! -f "$d/$n.wks" ] && run combined "$CERTS/server-cert.pem" "$CERTS/server-key.pem" "$CERTS/ca-cert.pem" "$d/$n.wks" "test-alias" "$FIPS_PWD" 2>/dev/null
+    done && run trust "$CERTS/ca-cert.pem" "$d/truststore.wks" "ca" "$FIPS_PWD" 2>/dev/null
+done
+
+for sub in rsocket amqp ssl cassandra data/redis data/mongo mongo mail; do
+    d="$SP/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/$sub"
+    mkdir -p "$d" 2>/dev/null; [ -d "$d" ] && {
+        [ ! -f "$d/test.wks" ] && run combined "$CERTS/server-cert.pem" "$CERTS/server-key.pem" "$CERTS/ca-cert.pem" "$d/test.wks" "test-alias" "$FIPS_PWD" 2>/dev/null
+        [ ! -f "$d/keystore.wks" ] && run combined "$CERTS/server-cert.pem" "$CERTS/server-key.pem" "$CERTS/ca-cert.pem" "$d/keystore.wks" "test-alias" "$FIPS_PWD" 2>/dev/null
+        [ ! -f "$d/truststore.wks" ] && run trust "$CERTS/ca-cert.pem" "$d/truststore.wks" "ca" "$FIPS_PWD" 2>/dev/null
+    }
+done
+
+for d in "$SP/spring-boot/src/test/resources" "$SP/spring-boot-autoconfigure/src/test/resources"; do
+    [ -d "$d" ] && {
+        [ ! -f "$d/client.wks" ] && run combined "$CERTS/client-cert.pem" "$CERTS/client-key.pem" "$CERTS/ca-cert.pem" "$d/client.wks" "client" "$FIPS_PWD" 2>/dev/null
+        [ ! -f "$d/server-with-client-trust.wks" ] && run combined "$CERTS/server-cert.pem" "$CERTS/server-key.pem" "$CERTS/ca-cert.pem" "$d/server-with-client-trust.wks" "server" "$FIPS_PWD" 2>/dev/null
+    }
+done
+echo "=== WKS setup complete: $(find "$SP" -name '*.wks' 2>/dev/null | wc -l) files ==="
+WKSEOF
+RUN /app/create-wks.sh
+
+# Add test CA to all truststores
+RUN cat > /app/add-ca.sh <<'ADDEOF' && chmod +x /app/add-ca.sh
+#!/bin/bash
+FIPS_PWD="wolfSSLFIPSPwd2024"; CA="/app/certs/test/ca-cert.pem"; SP="/app/spring-boot/spring-boot-project"
+run() { /usr/local/openjdk-19/bin/java -cp /app/util:/usr/share/java/wolfcrypt-jni.jar:/usr/share/java/wolfssl-jsse.jar:/usr/share/java/filtered-providers.jar -Djava.library.path=/usr/lib/jni:/usr/local/lib WksUtil addca "$1" "$CA" "$FIPS_PWD" "test-ca" 2>/dev/null; }
+echo "Adding test CA to all test truststores..."
+for f in $(find "$SP" -name "truststore.wks" -o -name "test.wks" 2>/dev/null); do echo "  Checking: $f"; run "$f"; done
+echo "Done adding test CA to truststores"
+ADDEOF
+RUN /app/add-ca.sh || true
+
+# Replace test PEM files with CA-signed certificates
+# This is critical because Spring Boot tests that load PEM directly need CA-signed certs
+RUN CERTS="/app/certs/test" && SP="/app/spring-boot/spring-boot-project" && \
+    # Create certificate chain (server cert + CA cert)
+    cat "$CERTS/server-cert.pem" "$CERTS/ca-cert.pem" > /tmp/test-cert-chain.pem && \
+    # Replace PEM files in all test resource directories
+    for d in "$SP/spring-boot/src/test/resources" \
+             "$SP/spring-boot-autoconfigure/src/test/resources" \
+             "$SP/spring-boot-actuator/src/test/resources"; do \
+        [ -d "$d" ] && { \
+            cp "$CERTS/server-cert.pem" "$d/test-cert.pem" 2>/dev/null || true; \
+            cp "$CERTS/server-key.pem" "$d/test-key.pem" 2>/dev/null || true; \
+            cp /tmp/test-cert-chain.pem "$d/test-cert-chain.pem" 2>/dev/null || true; \
+            echo "Replaced PEM files in $d"; \
+        }; \
+    done && rm -f /tmp/test-cert-chain.pem && \
+    echo "=== PEM file replacement complete ==="
+
+# Test runner
+RUN cat > /app/run-tests.sh <<'EOF' && chmod +x /app/run-tests.sh
+#!/bin/bash
+cd /app/spring-boot; export JAVA_HOME="${GRADLE_JAVA_HOME}"; unset JAVA_TOOL_OPTIONS
+RUNS=()
+run() { local name="$1"; shift; RUNS+=("$name"); echo -e "\n=== Running: $name ==="; "$@" 2>&1 | tee "/tmp/${name}.log"; }
+summary() {
+    for n in "${RUNS[@]}"; do
+        local p f s t
+        p=$(grep -c ' PASSED$' "/tmp/$n.log" 2>/dev/null) || p=0
+        f=$(grep -c ' FAILED$' "/tmp/$n.log" 2>/dev/null) || f=0
+        s=$(grep -c ' SKIPPED$' "/tmp/$n.log" 2>/dev/null) || s=0
+        t=$((p + f + s))
+        [ "$t" -gt 0 ] && echo "- $n: $t tests: $p passed, $f failed, $s skipped"
+    done
+}
+
+./gradlew :spring-boot-project:spring-boot:clean :spring-boot-project:spring-boot-autoconfigure:clean :spring-boot-project:spring-boot-actuator:clean --no-daemon 2>/dev/null || true
+
+run spring-boot ./gradlew :spring-boot-project:spring-boot:test --tests "*Ssl*" --tests "*ssl*" --tests "*Pem*" --tests "*Jks*" --tests "*Keystore*" --no-daemon -x checkstyleMain -x checkstyleTest -x checkFormat -x :buildSrc:test -x :buildSrc:check --continue || true
+run spring-boot-autoconfigure ./gradlew :spring-boot-project:spring-boot-autoconfigure:test --tests "*Ssl*" --tests "*ssl*" --no-daemon -x checkstyleMain -x checkstyleTest -x checkFormat -x :buildSrc:test -x :buildSrc:check --continue || true
+run spring-boot-actuator ./gradlew :spring-boot-project:spring-boot-actuator:test --tests "*Ssl*" --tests "*ssl*" --no-daemon -x checkstyleMain -x checkstyleTest -x checkFormat -x :buildSrc:test -x :buildSrc:check --continue || true
+
+echo -e "\n=== TEST SUMMARY ==="; summary
+EOF
+
+CMD ["/app/run-tests.sh"]
diff --git a/java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/README.md b/java/wolfssl-openjdk-fips-root/test-images/spring-boot-tests/README.md
@@ -0,0 +1,66 @@
+# Spring Boot SSL Tests with wolfJSSE FIPS
+
+This directory contains a Docker image for running Spring Boot SSL/TLS test suites using wolfJSSE and wolfJCE in FIPS 140-3 mode.
+
+## Overview
+
+This Docker image builds and runs Spring Boot's SSL-related test suites with wolfSSL's FIPS 140-3 validated cryptographic library (Certificate #4718), replacing all non-FIPS compliant Java cryptography providers with wolfJCE and wolfJSSE.
+
+## Prerequisites
+
+- The wolfssl-openjdk-fips-root base image built and available
+
+## Building the Image
+
+```bash
+docker build -t spring-boot-wolfjsse-fips .
+```
+
+You can specify a different Spring Boot version using build args:
+
+```bash
+docker build --build-arg SPRING_BOOT_TAG=v3.4.1 -t spring-boot-wolfjsse-fips .
+```
+
+## Running Tests
+
+To run the SSL test suite:
+
+```bash
+docker run --rm spring-boot-wolfjsse-fips
+```
+
+The container will automatically:
+1. Apply FIPS-compatibility patches to Spring Boot source
+2. Convert JKS/PKCS12 keystores to WKS format
+3. Generate CA-signed test certificates
+4. Run SSL-related tests from spring-boot, spring-boot-autoconfigure, and spring-boot-actuator
+
+## FIPS Modifications
+
+The image includes several modifications for FIPS compliance:
+
+### Keystore Format
+- All JKS and PKCS12 keystores are converted to WKS (wolfSSL KeyStore) format
+- WKS is the only keystore format that works with wolfJSSE in FIPS mode
+
+### Password Requirements
+- All keystore passwords are changed to meet FIPS requirements (minimum 14 characters)
+- Default password: `wolfSSLFIPSPwd2024`
+
+### Certificate Requirements
+- All test certificates are CA-signed (self-signed certificates fail native wolfSSL validation)
+- Certificates include proper Subject Alternative Names (SAN) for localhost
+
+### Test Exclusions
+Some tests are disabled due to FIPS incompatibilities:
+- Tests using non-FIPS algorithms (DSA, EdDSA, PBES2)
+- Tests requiring JKS format with PBEWithMD5AndTripleDES
+- Netty/Reactor SSL tests (InsecureTrustManagerFactory incompatible)
+
+## Test Results
+
+The container outputs a summary showing:
+- Number of tests run per module
+- Pass/fail/skip counts
+- Detailed logs are saved in `/tmp/*.log` within the container